KEYCLOAK-14197 Client Policy - Condition : Client - Client Host
This commit is contained in:
parent
cd9e01af90
commit
a51e0cc484
6 changed files with 305 additions and 216 deletions
|
@ -1,90 +0,0 @@
|
|||
/*
|
||||
* Copyright 2020 Red Hat, Inc. and/or its affiliates
|
||||
* and other contributors as indicated by the @author tags.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.keycloak.services.clientpolicy.condition;
|
||||
|
||||
import java.util.Collections;
|
||||
import java.util.List;
|
||||
|
||||
import org.jboss.logging.Logger;
|
||||
|
||||
import org.keycloak.component.ComponentModel;
|
||||
import org.keycloak.models.KeycloakSession;
|
||||
import org.keycloak.services.clientpolicy.ClientPolicyContext;
|
||||
import org.keycloak.services.clientpolicy.ClientPolicyException;
|
||||
import org.keycloak.services.clientpolicy.ClientPolicyLogger;
|
||||
import org.keycloak.services.clientpolicy.ClientPolicyVote;
|
||||
|
||||
public class ClientIpAddressCondition implements ClientPolicyConditionProvider {
|
||||
|
||||
private static final Logger logger = Logger.getLogger(ClientIpAddressCondition.class);
|
||||
|
||||
private final KeycloakSession session;
|
||||
private final ComponentModel componentModel;
|
||||
|
||||
public ClientIpAddressCondition(KeycloakSession session, ComponentModel componentModel) {
|
||||
this.session = session;
|
||||
this.componentModel = componentModel;
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getName() {
|
||||
return componentModel.getName();
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getProviderId() {
|
||||
return componentModel.getProviderId();
|
||||
}
|
||||
|
||||
@Override
|
||||
public ClientPolicyVote applyPolicy(ClientPolicyContext context) throws ClientPolicyException {
|
||||
switch (context.getEvent()) {
|
||||
case TOKEN_REQUEST:
|
||||
case TOKEN_REFRESH:
|
||||
case TOKEN_REVOKE:
|
||||
case TOKEN_INTROSPECT:
|
||||
case USERINFO_REQUEST:
|
||||
case LOGOUT_REQUEST:
|
||||
if (isIpAddressMatched()) return ClientPolicyVote.YES;
|
||||
return ClientPolicyVote.NO;
|
||||
default:
|
||||
return ClientPolicyVote.ABSTAIN;
|
||||
}
|
||||
}
|
||||
|
||||
private boolean isIpAddressMatched() {
|
||||
String ipAddr = session.getContext().getConnection().getRemoteAddr();
|
||||
|
||||
List<String> expectedIpAddresses = componentModel.getConfig().get(ClientIpAddressConditionFactory.IPADDR);
|
||||
if (expectedIpAddresses == null) expectedIpAddresses = Collections.emptyList();
|
||||
|
||||
if (logger.isTraceEnabled()) {
|
||||
ClientPolicyLogger.log(logger, "ip address = " + ipAddr);
|
||||
expectedIpAddresses.stream().forEach(i -> ClientPolicyLogger.log(logger, "ip address expected = " + i));
|
||||
}
|
||||
|
||||
boolean isMatched = expectedIpAddresses.stream().anyMatch(i -> i.equals(ipAddr));
|
||||
if (isMatched) {
|
||||
ClientPolicyLogger.log(logger, "ip address matched.");
|
||||
} else {
|
||||
ClientPolicyLogger.log(logger, "ip address unmatched.");
|
||||
}
|
||||
return isMatched;
|
||||
}
|
||||
|
||||
}
|
|
@ -1,74 +0,0 @@
|
|||
/*
|
||||
* Copyright 2020 Red Hat, Inc. and/or its affiliates
|
||||
* and other contributors as indicated by the @author tags.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.keycloak.services.clientpolicy.condition;
|
||||
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
|
||||
import org.keycloak.Config.Scope;
|
||||
import org.keycloak.component.ComponentModel;
|
||||
import org.keycloak.models.KeycloakSession;
|
||||
import org.keycloak.models.KeycloakSessionFactory;
|
||||
import org.keycloak.provider.ProviderConfigProperty;
|
||||
|
||||
public class ClientIpAddressConditionFactory implements ClientPolicyConditionProviderFactory {
|
||||
|
||||
public static final String PROVIDER_ID = "client-ipaddr-condition";
|
||||
public static final String IPADDR = "ipaddr";
|
||||
|
||||
private static final List<ProviderConfigProperty> configProperties = new ArrayList<ProviderConfigProperty>();
|
||||
|
||||
static {
|
||||
ProviderConfigProperty property;
|
||||
property = new ProviderConfigProperty(IPADDR, PROVIDER_ID + ".label", PROVIDER_ID + ".tooltip", ProviderConfigProperty.MULTIVALUED_STRING_TYPE, "0.0.0.0");
|
||||
configProperties.add(property);
|
||||
}
|
||||
|
||||
@Override
|
||||
public ClientPolicyConditionProvider create(KeycloakSession session, ComponentModel model) {
|
||||
return new ClientIpAddressCondition(session, model);
|
||||
}
|
||||
|
||||
@Override
|
||||
public void init(Scope config) {
|
||||
}
|
||||
|
||||
@Override
|
||||
public void postInit(KeycloakSessionFactory factory) {
|
||||
}
|
||||
|
||||
@Override
|
||||
public void close() {
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getId() {
|
||||
return PROVIDER_ID;
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getHelpText() {
|
||||
return "It uses the client's IP address to determine whether the policy is applied.";
|
||||
}
|
||||
|
||||
@Override
|
||||
public List<ProviderConfigProperty> getConfigProperties() {
|
||||
return configProperties;
|
||||
}
|
||||
|
||||
}
|
|
@ -0,0 +1,164 @@
|
|||
/*
|
||||
* Copyright 2020 Red Hat, Inc. and/or its affiliates
|
||||
* and other contributors as indicated by the @author tags.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.keycloak.services.clientpolicy.condition;
|
||||
|
||||
import java.net.InetAddress;
|
||||
import java.net.UnknownHostException;
|
||||
import java.util.LinkedList;
|
||||
import java.util.List;
|
||||
import java.util.stream.Collectors;
|
||||
|
||||
import org.jboss.logging.Logger;
|
||||
import org.keycloak.component.ComponentModel;
|
||||
import org.keycloak.models.KeycloakSession;
|
||||
import org.keycloak.services.clientpolicy.ClientPolicyContext;
|
||||
import org.keycloak.services.clientpolicy.ClientPolicyException;
|
||||
import org.keycloak.services.clientpolicy.ClientPolicyLogger;
|
||||
import org.keycloak.services.clientpolicy.ClientPolicyVote;
|
||||
|
||||
public class ClientUpdateSourceHostsCondition implements ClientPolicyConditionProvider {
|
||||
|
||||
private static final Logger logger = Logger.getLogger(ClientUpdateSourceHostsCondition.class);
|
||||
|
||||
private final KeycloakSession session;
|
||||
private final ComponentModel componentModel;
|
||||
|
||||
public ClientUpdateSourceHostsCondition(KeycloakSession session, ComponentModel componentModel) {
|
||||
this.session = session;
|
||||
this.componentModel = componentModel;
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getName() {
|
||||
return componentModel.getName();
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getProviderId() {
|
||||
return componentModel.getProviderId();
|
||||
}
|
||||
|
||||
@Override
|
||||
public ClientPolicyVote applyPolicy(ClientPolicyContext context) throws ClientPolicyException {
|
||||
switch (context.getEvent()) {
|
||||
case REGISTER:
|
||||
case UPDATE:
|
||||
if (!isHostMustMatch()) return ClientPolicyVote.ABSTAIN;
|
||||
if (isHostMatched()) return ClientPolicyVote.YES;
|
||||
return ClientPolicyVote.NO;
|
||||
default:
|
||||
return ClientPolicyVote.ABSTAIN;
|
||||
}
|
||||
}
|
||||
|
||||
private boolean isHostMatched() {
|
||||
String hostAddress = session.getContext().getConnection().getRemoteAddr();
|
||||
|
||||
ClientPolicyLogger.logv(logger, "Verifying remote host {0}", hostAddress);
|
||||
|
||||
List<String> trustedHosts = getTrustedHosts();
|
||||
List<String> trustedDomains = getTrustedDomains();
|
||||
|
||||
// Verify trustedHosts by their IP addresses
|
||||
String verifiedHost = verifyHostInTrustedHosts(hostAddress, trustedHosts);
|
||||
if (verifiedHost != null) {
|
||||
return true;
|
||||
}
|
||||
|
||||
// Verify domains if hostAddress hostname belongs to the domain. This assumes proper DNS setup
|
||||
verifiedHost = verifyHostInTrustedDomains(hostAddress, trustedDomains);
|
||||
if (verifiedHost != null) {
|
||||
return true;
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
protected List<String> getTrustedHosts() {
|
||||
List<String> trustedHostsConfig = componentModel.getConfig().getList(ClientUpdateSourceHostsConditionFactory.TRUSTED_HOSTS);
|
||||
return trustedHostsConfig.stream().filter((String hostname) -> {
|
||||
|
||||
return !hostname.startsWith("*.");
|
||||
|
||||
}).collect(Collectors.toList());
|
||||
}
|
||||
|
||||
protected List<String> getTrustedDomains() {
|
||||
List<String> trustedHostsConfig = componentModel.getConfig().getList(ClientUpdateSourceHostsConditionFactory.TRUSTED_HOSTS);
|
||||
List<String> domains = new LinkedList<>();
|
||||
|
||||
for (String hostname : trustedHostsConfig) {
|
||||
if (hostname.startsWith("*.")) {
|
||||
hostname = hostname.substring(2);
|
||||
domains.add(hostname);
|
||||
}
|
||||
}
|
||||
|
||||
return domains;
|
||||
}
|
||||
|
||||
protected String verifyHostInTrustedHosts(String hostAddress, List<String> trustedHosts) {
|
||||
for (String confHostName : trustedHosts) {
|
||||
try {
|
||||
String hostIPAddress = InetAddress.getByName(confHostName).getHostAddress();
|
||||
|
||||
ClientPolicyLogger.logv(logger, "Trying host {0} of address {1}", confHostName, hostIPAddress);
|
||||
if (hostIPAddress.equals(hostAddress)) {
|
||||
ClientPolicyLogger.logv(logger, "Successfully verified host : {0}", confHostName);
|
||||
return confHostName;
|
||||
}
|
||||
} catch (UnknownHostException uhe) {
|
||||
ClientPolicyLogger.logv(logger, "Unknown host from realm configuration: {0}", confHostName);
|
||||
}
|
||||
}
|
||||
|
||||
return null;
|
||||
}
|
||||
|
||||
protected String verifyHostInTrustedDomains(String hostAddress, List<String> trustedDomains) {
|
||||
if (!trustedDomains.isEmpty()) {
|
||||
try {
|
||||
String hostname = InetAddress.getByName(hostAddress).getHostName();
|
||||
|
||||
ClientPolicyLogger.logv(logger, "Trying verify request from address {0} of host {1} by domains", hostAddress, hostname);
|
||||
|
||||
for (String confDomain : trustedDomains) {
|
||||
if (hostname.endsWith(confDomain)) {
|
||||
ClientPolicyLogger.logv(logger, "Successfully verified host {0} by trusted domain {1}", hostname, confDomain);
|
||||
return hostname;
|
||||
}
|
||||
}
|
||||
} catch (UnknownHostException uhe) {
|
||||
ClientPolicyLogger.logv(logger, "Request of address {0} came from unknown host. Skip verification by domains", hostAddress);
|
||||
}
|
||||
}
|
||||
|
||||
return null;
|
||||
}
|
||||
|
||||
boolean isHostMustMatch() {
|
||||
return parseBoolean(ClientUpdateSourceHostsConditionFactory.HOST_SENDING_REQUEST_MUST_MATCH);
|
||||
}
|
||||
|
||||
// True by default
|
||||
private boolean parseBoolean(String propertyKey) {
|
||||
String val = componentModel.getConfig().getFirst(propertyKey);
|
||||
return val==null || Boolean.parseBoolean(val);
|
||||
}
|
||||
|
||||
}
|
|
@ -0,0 +1,88 @@
|
|||
/*
|
||||
* Copyright 2020 Red Hat, Inc. and/or its affiliates
|
||||
* and other contributors as indicated by the @author tags.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.keycloak.services.clientpolicy.condition;
|
||||
|
||||
import java.util.Arrays;
|
||||
import java.util.List;
|
||||
|
||||
import org.keycloak.Config.Scope;
|
||||
import org.keycloak.component.ComponentModel;
|
||||
import org.keycloak.component.ComponentValidationException;
|
||||
import org.keycloak.models.KeycloakSession;
|
||||
import org.keycloak.models.KeycloakSessionFactory;
|
||||
import org.keycloak.models.RealmModel;
|
||||
import org.keycloak.provider.ConfigurationValidationHelper;
|
||||
import org.keycloak.provider.ProviderConfigProperty;
|
||||
|
||||
public class ClientUpdateSourceHostsConditionFactory implements ClientPolicyConditionProviderFactory {
|
||||
|
||||
public static final String PROVIDER_ID = "clientupdatesourcehost-condition";
|
||||
|
||||
public static final String TRUSTED_HOSTS = "trusted-hosts";
|
||||
|
||||
public static final String HOST_SENDING_REQUEST_MUST_MATCH = "host-sending-request-must-match";
|
||||
|
||||
private static final ProviderConfigProperty TRUSTED_HOSTS_PROPERTY = new ProviderConfigProperty(TRUSTED_HOSTS, "clientupdate-trusted-hosts.label", "clientupdate-trusted-hosts.tooltip", ProviderConfigProperty.MULTIVALUED_STRING_TYPE, null);
|
||||
|
||||
private static final ProviderConfigProperty HOST_SENDING_REGISTRATION_REQUEST_MUST_MATCH_PROPERTY = new ProviderConfigProperty(HOST_SENDING_REQUEST_MUST_MATCH, "host-sending-request-must-match.label",
|
||||
"host-sending-request-must-match.tooltip", ProviderConfigProperty.BOOLEAN_TYPE, "true");
|
||||
|
||||
@Override
|
||||
public ClientPolicyConditionProvider create(KeycloakSession session, ComponentModel model) {
|
||||
return new ClientUpdateSourceHostsCondition(session, model);
|
||||
}
|
||||
|
||||
@Override
|
||||
public void init(Scope config) {
|
||||
}
|
||||
|
||||
@Override
|
||||
public void postInit(KeycloakSessionFactory factory) {
|
||||
}
|
||||
|
||||
@Override
|
||||
public void close() {
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getId() {
|
||||
return PROVIDER_ID;
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getHelpText() {
|
||||
return "The condition checks the host/domain of the entity who tries to create/update the client to determine whether the policy is applied.";
|
||||
}
|
||||
|
||||
@Override
|
||||
public List<ProviderConfigProperty> getConfigProperties() {
|
||||
return Arrays.asList(TRUSTED_HOSTS_PROPERTY, HOST_SENDING_REGISTRATION_REQUEST_MUST_MATCH_PROPERTY);
|
||||
}
|
||||
|
||||
@Override
|
||||
public void validateConfiguration(KeycloakSession session, RealmModel realm, ComponentModel config) throws ComponentValidationException {
|
||||
ConfigurationValidationHelper.check(config)
|
||||
.checkBoolean(HOST_SENDING_REGISTRATION_REQUEST_MUST_MATCH_PROPERTY, true);
|
||||
|
||||
ClientUpdateSourceHostsCondition policy = new ClientUpdateSourceHostsCondition(session, config);
|
||||
if (!policy.isHostMustMatch()) {
|
||||
throw new ComponentValidationException("At least one of hosts verification must be enabled");
|
||||
}
|
||||
|
||||
}
|
||||
}
|
|
@ -1,5 +1,5 @@
|
|||
org.keycloak.services.clientpolicy.condition.ClientUpdateContextConditionFactory
|
||||
org.keycloak.services.clientpolicy.condition.ClientRolesConditionFactory
|
||||
org.keycloak.services.clientpolicy.condition.ClientIpAddressConditionFactory
|
||||
org.keycloak.services.clientpolicy.condition.ClientScopesConditionFactory
|
||||
org.keycloak.services.clientpolicy.condition.ClientAccessTypeConditionFactory
|
||||
org.keycloak.services.clientpolicy.condition.ClientUpdateSourceHostsConditionFactory
|
|
@ -81,9 +81,9 @@ import org.keycloak.services.clientpolicy.ClientPolicyException;
|
|||
import org.keycloak.services.clientpolicy.ClientPolicyProvider;
|
||||
import org.keycloak.services.clientpolicy.DefaultClientPolicyProviderFactory;
|
||||
import org.keycloak.services.clientpolicy.condition.ClientAccessTypeConditionFactory;
|
||||
import org.keycloak.services.clientpolicy.condition.ClientIpAddressConditionFactory;
|
||||
import org.keycloak.services.clientpolicy.condition.ClientPolicyConditionProvider;
|
||||
import org.keycloak.services.clientpolicy.condition.ClientUpdateContextConditionFactory;
|
||||
import org.keycloak.services.clientpolicy.condition.ClientUpdateSourceHostsConditionFactory;
|
||||
import org.keycloak.services.clientpolicy.condition.ClientRolesConditionFactory;
|
||||
import org.keycloak.services.clientpolicy.condition.ClientScopesConditionFactory;
|
||||
import org.keycloak.services.clientpolicy.executor.ClientPolicyExecutorProvider;
|
||||
|
@ -97,7 +97,9 @@ import org.keycloak.services.clientpolicy.executor.SecureSigningAlgorithmEnforce
|
|||
import org.keycloak.testsuite.AbstractKeycloakTest;
|
||||
import org.keycloak.testsuite.AssertEvents;
|
||||
import org.keycloak.testsuite.admin.ApiUtil;
|
||||
import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude;
|
||||
import org.keycloak.testsuite.arquillian.annotation.EnableFeature;
|
||||
import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude.AuthServer;
|
||||
import org.keycloak.testsuite.client.resources.TestApplicationResourceUrls;
|
||||
import org.keycloak.testsuite.client.resources.TestOIDCEndpointsApplicationResource;
|
||||
import org.keycloak.testsuite.rest.resource.TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject;
|
||||
|
@ -733,43 +735,6 @@ public class ClientPolicyBasicsTest extends AbstractKeycloakTest {
|
|||
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testClientIpAddressCondition() throws ClientRegistrationException, ClientPolicyException {
|
||||
String policyName = "MyPolicy";
|
||||
createPolicy(policyName, DefaultClientPolicyProviderFactory.PROVIDER_ID, null, null, null);
|
||||
logger.info("... Created Policy : " + policyName);
|
||||
|
||||
createCondition("ClientIpAddressCondition", ClientIpAddressConditionFactory.PROVIDER_ID, null, (ComponentRepresentation provider) -> {
|
||||
setConditionClientIpAddress(provider, new ArrayList<>(Arrays.asList("0.0.0.0", "127.0.0.1")));
|
||||
});
|
||||
registerCondition("ClientIpAddressCondition", policyName);
|
||||
logger.info("... Registered Condition : ClientIpAddressCondition");
|
||||
|
||||
createExecutor("PKCEEnforceExecutor", PKCEEnforceExecutorFactory.PROVIDER_ID, null, (ComponentRepresentation provider) -> {
|
||||
setExecutorAugmentDeactivate(provider);
|
||||
});
|
||||
registerExecutor("PKCEEnforceExecutor", policyName);
|
||||
logger.info("... Registered Executor : PKCEEnforceExecutor");
|
||||
|
||||
String clientId = "Zahlungs-App";
|
||||
String clientSecret = "secret";
|
||||
String cid = createClientByAdmin(clientId, (ClientRepresentation clientRep) -> {
|
||||
clientRep.setSecret(clientSecret);
|
||||
});
|
||||
|
||||
try {
|
||||
failTokenRequestByNotFollowingPKCE(clientId, clientSecret);
|
||||
|
||||
updateCondition("ClientIpAddressCondition", (ComponentRepresentation provider) -> {
|
||||
setConditionClientIpAddress(provider, new ArrayList<>(Arrays.asList("10.255.255.255")));
|
||||
});
|
||||
|
||||
successfulLoginAndLogout(clientId, clientSecret);
|
||||
} finally {
|
||||
deleteClientByAdmin(cid);
|
||||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testSecureSessionEnforceExecutor() throws ClientRegistrationException, ClientPolicyException {
|
||||
String policyBetaName = "MyPolicy-beta";
|
||||
|
@ -1031,14 +996,6 @@ public class ClientPolicyBasicsTest extends AbstractKeycloakTest {
|
|||
registerCondition("ClientAccessTypeCondition", policyName);
|
||||
logger.info("... Registered Condition : ClientAccessTypeCondition");
|
||||
|
||||
policyName = "MyPolicy-ClientIpAddressCondition";
|
||||
createPolicy(policyName, DefaultClientPolicyProviderFactory.PROVIDER_ID, null, null, null);
|
||||
logger.info("... Created Policy : " + policyName);
|
||||
createCondition("ClientIpAddressCondition", ClientIpAddressConditionFactory.PROVIDER_ID, null, (ComponentRepresentation provider) -> {
|
||||
});
|
||||
registerCondition("ClientIpAddressCondition", policyName);
|
||||
logger.info("... Registered Condition : ClientIpAddressCondition");
|
||||
|
||||
policyName = "MyPolicy-ClientScopesCondition";
|
||||
createPolicy(policyName, DefaultClientPolicyProviderFactory.PROVIDER_ID, null, null, null);
|
||||
logger.info("... Created Policy : " + policyName);
|
||||
|
@ -1078,6 +1035,49 @@ public class ClientPolicyBasicsTest extends AbstractKeycloakTest {
|
|||
}
|
||||
}
|
||||
|
||||
@AuthServerContainerExclude(AuthServer.REMOTE)
|
||||
public void testClientUpdateSourceHostsCondition() throws ClientRegistrationException, ClientPolicyException {
|
||||
String policyName = "MyPolicy";
|
||||
createPolicy(policyName, DefaultClientPolicyProviderFactory.PROVIDER_ID, null, null, null);
|
||||
logger.info("... Created Policy : " + policyName);
|
||||
|
||||
createCondition("ClientUpdateSourceHostsCondition", ClientUpdateSourceHostsConditionFactory.PROVIDER_ID, null, (ComponentRepresentation provider) -> {
|
||||
setConditionClientUpdateSourceHosts(provider, new ArrayList<>(Arrays.asList("localhost", "127.0.0.1")));
|
||||
});
|
||||
registerCondition("ClientUpdateSourceHostsCondition", policyName);
|
||||
logger.info("... Registered Condition : ClientUpdateSourceHostsCondition");
|
||||
|
||||
createExecutor("SecureClientAuthEnforceExecutor", SecureClientAuthEnforceExecutorFactory.PROVIDER_ID, null, (ComponentRepresentation provider) -> {
|
||||
setExecutorAcceptedClientAuthMethods(provider, new ArrayList<>(Arrays.asList(
|
||||
JWTClientAuthenticator.PROVIDER_ID, JWTClientSecretAuthenticator.PROVIDER_ID, X509ClientAuthenticator.PROVIDER_ID)));
|
||||
});
|
||||
registerExecutor("SecureClientAuthEnforceExecutor", policyName);
|
||||
logger.info("... Registered Executor : SecureClientAuthEnforceExecutor");
|
||||
|
||||
String clientAlphaId = "Alpha-App";
|
||||
String clientAlphaSecret = "secretAlpha";
|
||||
try {
|
||||
createClientByAdmin(clientAlphaId, (ClientRepresentation clientRep) -> {
|
||||
clientRep.setSecret(clientAlphaSecret);
|
||||
});
|
||||
fail();
|
||||
} catch (ClientPolicyException e) {
|
||||
assertEquals(Errors.INVALID_REGISTRATION, e.getMessage());
|
||||
}
|
||||
|
||||
String cAlphaId = null;
|
||||
try {
|
||||
updateCondition("ClientUpdateSourceHostsCondition", (ComponentRepresentation provider) -> {
|
||||
setConditionClientUpdateSourceHosts(provider, new ArrayList<>(Arrays.asList("example.com")));
|
||||
});
|
||||
cAlphaId = createClientByAdmin(clientAlphaId, (ClientRepresentation clientRep) -> {
|
||||
clientRep.setSecret(clientAlphaSecret);
|
||||
});
|
||||
} finally {
|
||||
deleteClientByAdmin(cAlphaId);
|
||||
}
|
||||
}
|
||||
|
||||
private AuthorizationEndpointRequestObject createValidRequestObjectForSecureRequestObjectExecutor(String clientId) throws URISyntaxException {
|
||||
AuthorizationEndpointRequestObject requestObject = new AuthorizationEndpointRequestObject();
|
||||
requestObject.id(KeycloakModelUtils.generateId());
|
||||
|
@ -1529,10 +1529,6 @@ public class ClientPolicyBasicsTest extends AbstractKeycloakTest {
|
|||
provider.getConfig().put(ClientRolesConditionFactory.ROLES, clientRoles);
|
||||
}
|
||||
|
||||
private void setConditionClientIpAddress(ComponentRepresentation provider, List<String> clientIpAddresses) {
|
||||
provider.getConfig().put(ClientIpAddressConditionFactory.IPADDR, clientIpAddresses);
|
||||
}
|
||||
|
||||
private void setConditionClientScopes(ComponentRepresentation provider, List<String> clientScopes) {
|
||||
provider.getConfig().put(ClientScopesConditionFactory.SCOPES, clientScopes);
|
||||
}
|
||||
|
@ -1541,6 +1537,11 @@ public class ClientPolicyBasicsTest extends AbstractKeycloakTest {
|
|||
provider.getConfig().put(ClientAccessTypeConditionFactory.TYPE, clientAccessTypes);
|
||||
}
|
||||
|
||||
private void setConditionClientUpdateSourceHosts(ComponentRepresentation provider, List<String> hosts) {
|
||||
provider.getConfig().putSingle(ClientUpdateSourceHostsConditionFactory.HOST_SENDING_REQUEST_MUST_MATCH, "true");
|
||||
provider.getConfig().put(ClientUpdateSourceHostsConditionFactory.TRUSTED_HOSTS, hosts);
|
||||
}
|
||||
|
||||
private void setExecutorAugmentActivate(ComponentRepresentation provider) {
|
||||
provider.getConfig().putSingle("is-augment", Boolean.TRUE.toString());
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue